Compositional Risk Assessment

and Security Testing of Networked Systems

Using Common Attack Pattern Enumeration (CAPEC) for Cyber Security Risk Assessment

CAPEC  is a comprehensive dictionary and classification taxonomy of known security attacks developed by MITRE. The goal is to advance community understanding and defensive capabilities related to cyber security.

RASEN has developed an approach for automatically generating a risk model from the CAPEC dictionary. This risk model can be used as a starting point for a cyber security risk assessment, thus avoiding the need of constructing the risk model from scratch. The approach allows the security attacks described in the CAPEC-dictionary to be analyzed and prioritized with respect to impact on risks. In the following, we briefly illustrate the approach. For more details, see deliverable D4.2.2, section 2.

Each attack in the CAPEC dictionary is described using a common template/table. This template contains attributes such as name of the attack, typical weaknesses that can be exploited, consequences of the attack. etc. An example of an attack described in the CAPEC dictionary (named CAPEC-34). is shown in the table below.

 Note that only a subset of all the attack attributes is shown in the above table. The CAPEC dictionary is contained in an XML-file. We have developed a tool which takes the CAPEC dictionary (represented as an XML-file) as input, and produces a CORAS risk model automatically. An example of the CORAS risk model obtained by translation from the CAPEC-34 is shown in the figure below.

In our approach, each attack in the CAPEC dictionary will be translated to a risk model on a form similar to the figure above. After transforming the CAPEC dictionary into a risk model, the user can refine the risk model to make it specific to the target of evaluation and to assess the risks.

A contribution by Fredrik Seehusen, SINTEF

Categories: News

RASEN General Assembly in Oslo RASEN Supports Standardization at the European Telecommunication Standards Institute